Regarding the URLs containing the decryption key, of course a strong password is a big benefit here, but if you're not syncing history that could perhaps eliminate big tech from the loop (though you may also need to turn off all telemetry by your browser)
Using a browser without extensions installed would prevent against extension-based exfiltration.
The only way to prevent against a malicious server would probably be to build the frontend yourself and use it with the server (I haven't tried doing this)
Using a browser without extensions installed would prevent against extension-based exfiltration.
The only way to prevent against a malicious server would probably be to build the frontend yourself and use it with the server (I haven't tried doing this)